This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Kerberos Pre-Authentication
Kerberos Pre-Authentication

Version management

Difference between version and

At line 1 added 17 lines
!!! Overview
[{$pagename}] is a concept within [Kerberos].
[{$pagename}] is defined in [RFC 6113] and an [IANA Registry] for [Pre-authentication and Typed Data|https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#pre-authentication|target='_blank']
[{$pagename}] is a security feature which offers protection against [password-guessing|Brute-Force] [attacks]. The AS request identifies the client to the [KDC] in [Plaintext]. If [{$pagename}] is enabled, a [Timestamp] will be [encrypted] using the user's [password] [hash] as an [encryption] [key]. If the [KDC] reads a valid time when using the user's password hash, which is available in the [Microsoft Active Directory], to decrypt the [Timestamp], the [KDC] knows that request isn't a replay of a previous request.
Without [{$pagename}] a [malicious] [attacker] can directly send a dummy request for [authentication]. The [KDC] will return an [encrypted] [TGT] and the [attacker] can brute force it offline.
Upon checking the [KDC] logs, nothing will be seen except a single request for a [TGT]. When [Kerberos] [timestamp] [{$pagename}] is enforced, the [attacker] cannot directly ask the [KDCs] for the encrypted material to [Brute-Force] offline.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop